Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware.trace issue

Started by hobenenenen, May 13 2009 04:41 AM

This topic is locked
Go to first unread post

34 replies to this topic

#1
hobenenenen

Posted 13 May 2009 - 04:41 AM

New Member

Members
31 posts

Hello, I'm new to this forum but have been using MBAM for sometime now and i love it. It has been very helpful in the past up till now. Currently my only problem is that this threat called "malware.trace" has been reoccuring in my scans, and everytime i remove it (and scan promptley after) it shows up again. I dont know what its doing, but regardless, I want to know how to get rid of it. Im not sure what to do, so any help will be greatly appreciated. I read Im supposed to post my MBAM and HJT logs here, so here they are.

Malwarebytes' Anti-Malware 1.36
Database version: 2118
Windows 5.1.2600 Service Pack 2

5/12/2009 6:26:22 PM
mbam-log-2009-05-12 (18-26-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 151083
Time elapsed: 50 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:05 PM, on 5/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://myuhportal.h...me/displaylogin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241583068796
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.trickster...sterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.trickster...utComponent.cab
O20 - AppInit_DLLs: karna.dat
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 12027 bytes

Thanks in advance.

#2
negster22

Posted 15 May 2009 - 03:15 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

Hello hobenenenen and welcome!

You have two antiviruses (or is it antivirii?) installed: Avira Antivir and AVG. You need to remove one of these immediately because running both can cause conflicts and system hangs. Personally, I find that Avira Antivir is excellent and compatible with most other security programs, so I recommend you keep that one.

Next, uninstall Viewpoint Manager and SystemDoctor.

Please download ATF Cleaner by Atribune

Close Internet Explorer and any other open browsers
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

________________________________________________________________________

Launch HijackThis (HJT)by clicking the desktop shortcut and choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
O20 - AppInit_DLLs: karna.dat
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Close HJT.

Reboot.

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
Leave your system completely idle while this longer scan is in progress.
When the scan is done, save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as hoben.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.

You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe"

Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder.
Select the Update tab -> Check for Updates
After MBAM updates, select the Scanner tab.
Select Perform quick scan, then click Scan.
When the scan is complete, click OK -> Show Results to view the scan results.
Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please post C:\ComboFix.txt, your antirootkit log (ARK.txt), and a new MBAM log in your next reply.

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#3
hobenenenen

Posted 15 May 2009 - 06:48 AM

New Member

Members
31 posts

negster22, on May 14 2009, 05:15 PM, said:

Close Internet Explorer and any other open browsers
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
Leave your system completely idle while this longer scan is in progress.
When the scan is done, save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as hoben.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.

You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder.
Select the Update tab -> Check for Updates
After MBAM updates, select the Scanner tab.
Select Perform quick scan, then click Scan.
When the scan is complete, click OK -> Show Results to view the scan results.
Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

Hello negster22,
thanks for your help.

So far I have done up to the HJT "Fix Checked" step. As for your initial instructructions to remove AVG, I could not find it in my Control Panel Add/Remove Programs list. I found a ViewPoint Media Player (not Manager) and proceeded to remove that. I did not find SystemDoctor however.

I did the ATF cleaner step. In the HJT log step, I found all but the last one (VeiwPoint) and removed them all. I also found a few AVG ones but did not remove them because you did not instruct me to do so. So now I await your instructions. If there are no changes to the instructions, just let me know and I will look back on your first post.

#4
negster22

Posted 15 May 2009 - 03:11 PM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

Please check these AVG items in your HJT log for removal and then hit "Fix Checked"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)

Reboot and continue with the rest of the directions including the ARK scan and Combofix run.

I am not surprised that you couldn't find SystemDoctor in Add/Remove Programs because it is classified as a rogue program.
http://www.threatexp...s/DNSE.exe.html

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#5
hobenenenen

Posted 15 May 2009 - 10:58 PM

New Member

Members
31 posts

negster22, on May 15 2009, 05:11 AM, said:

I removed th 6 AVG items you pointed out, but there are still two:

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)

Should I delete those two too? I m currently performing the antirook scan now on my laptop (Im on another computer at the moment). Should I just ignore the SystemDoctor for now since you didn't instruct me to do anything else about it? Anyway Im will continue with the instructions and reply back when completed. Thanks.

#6
negster22

Posted 16 May 2009 - 12:33 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

You can check these for removal in HJT this too:
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)

Apparently, they are just dormant leftovers after removing AVG, and are not inactive. I am not that concerned about those because we will get all that and more with Combofix. My main concern is that you are not using two active AVs simultaneously.

Yes, continue with the ARK scan and Combofix.

We'll use Combofix to remove any and all bad stuff.

Don't forget to disable Antivir before running Combofix, and re-enable after the Combofix log is generated.

Directions:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )

* right click it -> untick the option AntiVir Guard enable.
* You should now see a closed, white umbrella on a red background.

Reverse the above to re-enable the Antivir Guard after running Combofix

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#7
hobenenenen

Posted 17 May 2009 - 02:58 AM

New Member

Members
31 posts

negster22, on May 15 2009, 02:33 PM, said:

Alright, I got to the part where i begin running Combofix, but as I start to run it, it alerts me to disable my AVG7.5 (I disabled Avira). But the thing is that a while back, years maybe, I deleted AVG by dragging it in my Trash, not knowing that would no delete it. Now there are only some components of AVG that cannot be deleted. Do I continue the scan? Ill wait till you reply.

#8
negster22

Posted 17 May 2009 - 07:12 PM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

Please post a fresh HJT log and the ARK.txt

I have to see if any AVG services are actively running.

Is their an entry in Add/Remove programs for AVG7.5 - I guess not or you would have used it.

You can try rebooting your computer in "SAFE MODE" and running Combofix from there, using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#9
hobenenenen

Posted 17 May 2009 - 11:20 PM

New Member

Members
31 posts

negster22, on May 17 2009, 09:12 AM, said:

Nope, there is no AVG7.5 in my Add/Remove programs. I will do the Safe Mode Combofix now. Here is my latest HJT log and ARK.txt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:03 PM, on 5/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://myuhportal.h...me/displaylogin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241583068796
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.trickster...sterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.trickster...utComponent.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 11103 bytes

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-17 13:17:44
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT F8BB1206

ZwCreateKey
SSDT F8BB11FC

ZwCreateThread
SSDT F8BB120B

ZwDeleteKey
SSDT F8BB1215

ZwDeleteValueKey
SSDT F8BB121A

ZwLoadKey
SSDT F8BB11E8

ZwOpenProcess
SSDT F8BB11ED

ZwOpenThread
SSDT F8BB1224

ZwReplaceKey
SSDT F8BB121F

ZwRestoreKey
SSDT F8BB1210

ZwSetValueKey
SSDT F8BB11F7

ZwTerminateProcess

Code \??\C:\DOCUME~1\Hoben\LOCALS~1\Temp\catchme.sys

pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2514

80501404 4 Bytes CALL 4F48CF1A
? System32\Drivers\avg7rsw.sys

The system cannot find the path specified. !
? C:\DOCUME~1\Hoben\LOCALS~1\Temp\catchme.sys

The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ADVAPI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\RPCRT4.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\Secur32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\MSVCRT.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\USER32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\GDI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\NETAPI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\WININET.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHELL32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[2180] @ C:\WINDOWS\system32\USERENV.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ADVAPI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\RPCRT4.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\Secur32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\MSVCRT.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\USER32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\GDI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common

Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common

Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHLWAPI.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegQueryValueExA]

[0103E070] c:\program files\aim6\services\imApp\ver6_8_15_1\imAppService.dll (imAppService EE

Application Service/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\WININET.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHELL32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\iphlpapi.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\NETAPI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[2988] @ C:\WINDOWS\system32\USERENV.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

(AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip

avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp

avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Udp

avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp

avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST

avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

---- EOF - GMER 1.0.15 ----

Attached Files

ARK.txt 24.08K 12 downloads

#10
hobenenenen

Posted 17 May 2009 - 11:50 PM

New Member

Members
31 posts

I ran Combofix in Safe Mode. Note that it did mention to disable AVG7.5 again, but I ran it anyway. I was supposed to right, since it was in Safe Mode? As i began to run it, it told me to install the Recovery Console, but I didnt have internet connection (due to Safe Mode i think), and then I let it run till the end.

Do I manually install the Recovery Console now? Im back in Normal Mode (not Safe) and have internet connection. I will now do the last step (renaming mbam.exe to newyork.exe.

Here is my log:

ComboFix 09-05-14.05 - Hoben 05/17/2009 13:34.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.363 [GMT -10:00]
Running from: c:\documents and settings\Hoben\Desktop\hoben.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG 7.5.524 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Hoben\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\Hoben\Local Settings\Temporary Internet Files\usawuvufy.inf
C:\smp.bat
c:\windows\IE4 Error Log.txt
c:\windows\setup.exe
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref

.
((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-15 07:00 . 2009-05-15 07:04 -------- d-----w C:\ARK
2009-05-13 02:18 . 2009-05-13 02:18 -------- d-----w c:\program files\Trend Micro
2009-05-13 02:05 . 2009-03-25 02:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-13 02:05 . 2009-05-13 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-13 02:05 . 2009-05-13 02:05 -------- d-----w c:\program files\Avira
2009-05-13 00:39 . 2009-05-13 00:39 -------- d-----w c:\program files\Java
2009-05-07 05:54 . 2008-10-17 00:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-06 09:59 . 2009-05-06 09:59 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-06 05:04 . 2009-05-06 05:04 -------- d-----w c:\documents and settings\Joe\Application Data\Malwarebytes
2009-04-20 02:43 . 2009-04-20 02:43 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-20 02:42 . 2009-05-06 03:53 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-20 02:42 . 2009-05-06 03:54 -------- d-----w c:\documents and settings\Hoben\Application Data\SUPERAntiSpyware.com
2009-04-20 02:35 . 2009-04-20 02:35 -------- d-----w c:\documents and settings\Ann\Local Settings\Application Data\Google
2009-04-20 02:35 . 2009-04-20 02:35 -------- d-----w c:\documents and settings\Ann\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 06:51 . 2006-06-21 11:50 64336 ----a-w c:\documents and settings\Ann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-15 06:11 . 2006-06-02 06:42 -------- d-----w c:\program files\Viewpoint
2009-05-13 00:40 . 2008-12-31 05:33 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-07 22:23 . 2006-06-02 05:20 64336 ----a-w c:\documents and settings\Hoben\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 04:07 . 2006-06-02 04:39 64336 ----a-w c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 04:01 . 2006-03-02 09:02 -------- d-----w c:\program files\Sony
2009-05-06 03:50 . 2006-03-07 14:34 -------- d-----w c:\program files\Microsoft Works
2009-04-20 01:36 . 2009-02-22 00:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 07:12 . 2009-04-15 07:12 4744 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-04-07 01:32 . 2009-02-22 00:04 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 01:32 . 2009-02-22 00:04 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:44 . 2006-03-02 06:21 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-02 06:21 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-03-02 06:21 78336 ----a-w c:\windows\system32\ieencode.dll
2008-11-12 22:05 . 2008-11-12 22:05 18003 ----a-w c:\program files\Common Files\jynosevyhu.vbs
2008-11-12 22:05 . 2008-11-12 22:05 14875 ----a-w c:\program files\Common Files\aqus.bin
2006-06-30 06:09 . 2006-06-30 06:09 774144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-20 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-05 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-26 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-13 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/12/2009 4:05 PM 108289]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
orkzuztv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92609ac4-e888-11db-a326-0016ce118fdd}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 05:20]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{03A80B1D-5C6A-42c2-9DFB-81B6005D8023} - c:\program files\Trend Micro\Tmas\sshook.dll

.
------- Supplementary Scan -------
.
uStart Page = https://myuhportal.h...me/displaylogin
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 13:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(216)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-05-17 13:40
ComboFix-quarantined-files.txt 2009-05-17 23:39

Pre-Run: 46,288,388,096 bytes free
Post-Run: 46,395,416,576 bytes free

140 --- E O F --- 2009-05-15 03:52

#11
hobenenenen

Posted 18 May 2009 - 12:01 AM

New Member

Members
31 posts

I did the last step in your initial instructions (rename mbam to newyork, then update, then perform quick scan). The scan did no detect any malware. Here is the log

Malwarebytes' Anti-Malware 1.36
Database version: 2146
Windows 5.1.2600 Service Pack 2

5/17/2009 1:59:02 PM
mbam-log-2009-05-17 (13-59-02).txt

Scan type: Quick Scan
Objects scanned: 89672
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I await any further instructions (whether or not to instal Recovery Console).

#12
negster22

Posted 18 May 2009 - 12:37 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

Give me some time to go over your logs and make a batch file for you to disable AVG7.5 which is still actively running and fully updated according to Combofix.

Actually, you can install Recovery Console now so it won't become a problem in your next Combofix run which is definitely needed.

Can you tell me if you know what this program is (?)
c:\ijji\ENGLISH\u_gbound.exe

It currently has access through your firewall, and I thought it might have something to do with gaming?

If not, see if you can view the contents of the folder:
c:\ijji\ENGLISH

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#13
hobenenenen

Posted 18 May 2009 - 01:00 AM

New Member

Members
31 posts

negster22, on May 17 2009, 02:37 PM, said:

Alright, Ill install the Recovery Console now, thanks. I believe the c:\ijji\ENGLISH\u_gbound.exe is a component of a game. I can uninstall it if you wish, I dont use it anymore.

#14
hobenenenen

Posted 18 May 2009 - 01:26 AM

New Member

Members
31 posts

I dont believe I have the Windows CD, so I took the necessary route and downloaded the Windows XP version and the Windows Service Pack 2. I dragged the second item onto the Combofix icon as the tutorial instructed, and it prompted me that there was an updated version of Combofix and if Id like to update (which I did). Then it began to run Combofix, but again told me that AVG7.5 was enabled. So (since I wasn't in Safe Mode) I exited Combofix when it gave me the option to do so.

I will await further instructions. I also couldn't uninstall the ijji contents (they didnt appear in the Add/Remove list).

#15
negster22

Posted 18 May 2009 - 02:12 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

OK I have a CFScript for you, after you do this to remove AVG:

Open Notepad by Clicking start -> run -> type notepad
Hit Enter
Paste in the following bolded text into the Notepad window:

sc stop Avg7Alrt
sc config Avg7Alrt start= disabled
sc delete Avg7Alrt
sc stop AvgTdi
sc config AvgTdi start= disabled
sc delete AvgTdi
sc stop Avg7UpdSvc
sc config Avg7UpdSvc start= disabled
sc delete Avg7UpdSvc
sc stop AVGEMS
sc config AVGEMS start= disabled
sc delete AVGEMS
if exist "%userprofile%\documents\AVGStatus.txt" del "%userprofile%\documents\AVGStatus.txt"
sc query Avg7Alrt > "%userprofile%\documents\AVGStatus.txt"
sc query AvgTdi >> "%userprofile%\documents\AVGStatus.txt"
sc query Avg7UpdSvc >> "%userprofile%\documents\AVGStatus.txt"
sc query AVGEMS >> "%userprofile%\documents\AVGStatus.txt"
notepad "%userprofile%\documents\AVGStatus.txt"

Save the file to your desktop by setting the "Save as Type" to "all files", and save it as AVGRemove.bat

Double-click the AVGRemove.bat gear icon on your desktop (allow the script to run and disable any script blocking programs first).

A TXT file called AVGStatus.txt located in your documents folder will open. Please copy and paste the contents in a reply back here immediately, and then proceed with the next instructions - do not wait for me to reply (this is a before and after comparison).

Next, boot into safe mode (using the F8 key method), and repeat the same above directions. Again a file will open in Notepad. Close the file - reboot and then locate and post the contents of the NEW AVGStatus.txt located in your documents folder (check the time/date stamp).

I'll remove that game related folder in the CFScript. What firewall are you using because there are references to a Symantec firewall in your CF log.

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#16
hobenenenen

Posted 18 May 2009 - 02:26 AM

New Member

Members
31 posts

negster22, on May 17 2009, 04:12 PM, said:

I copied and pasted what you just sent into Notepad, saved it to all files on the desktop as instructed, and then ran it. It ran for a a few seconds but then it opened up Notepad (which was empty) and a message popped up: "The system cannot find the path specified." I dont know if this is because I have a script blocking program up (to my knowledge I do not). I will do the Safe Mode method now and post it my results.

#17
hobenenenen

Posted 18 May 2009 - 02:39 AM

New Member

Members
31 posts

I tried it in Safe Mode too and the same thing happened. Should I do the CF Recovery Console in Safe Mode?

#18
negster22

Posted 18 May 2009 - 03:15 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

hobenenenen, on May 17 2009, 10:39 PM, said:

I tried it in Safe Mode too and the same thing happened. Should I do the CF Recovery Console in Safe Mode?

OK - disable Windows Defender and Avira Antivir Guard.

Now, delete the AVGStatus.bat file on your desktop.

Copy/Paste the following bolded text into a Notepad file (make sure wordwrap is unchecked under format):

sc stop WinDefend
sc stop Avg7Alrt
sc config Avg7Alrt start= disabled
sc delete Avg7Alrt
sc stop AvgTdi
sc config AvgTdi start= disabled
sc delete AvgTdi
sc stop Avg7UpdSvc
sc config Avg7UpdSvc start= disabled
sc delete Avg7UpdSvc
sc stop AVGEMS
sc config AVGEMS start= disabled
sc delete AVGEMS
if exist "%userprofile%\documents\AVGStatus.txt" del "%userprofile%\documents\AVGStatus.txt"
sc query Avg7Alrt > "%userprofile%\documents\AVGStatus.txt"
sc query AvgTdi >> "%userprofile%\documents\AVGStatus.txt"
sc query Avg7UpdSvc >> "%userprofile%\documents\AVGStatus.txt"
sc query AVGEMS >> "%userprofile%\documents\AVGStatus.txt"
notepad "%userprofile%\documents\AVGStatus.txt"
Pause

Save the file to your desktop by setting the "Save as Type" to "All Files", and save it as AVGRemove.bat.

Double-click the AVGRemove.bat gear icon on your desktop (allow the script to run and disable any script blocking programs first). A black CMD window should open and stay that way as the batch commands process.

A TXT file called AVGStatus.txt located in your documents folder will open. Ignore that for now.

The command console (CMD window) should still be open at the end of the batch processing.
Right-click the DOS window and choose: Select All from the context menu (color changes)
Right-click the DOS window again and this will copy the content to the clipboard. (color changes to black again)
Copy and paste the content of the CMD window in your next reply.

Now, copy and paste back the content of the Notepad file AVGStatus.txt.

Forget the safe mode part and the Recovery console for now. I want to see what happens first.

Turn ON Windows Defender and Avira Antivir Guard.

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#19
hobenenenen

Posted 18 May 2009 - 03:27 AM

New Member

Members
31 posts

negster22, on May 17 2009, 05:15 PM, said:

Alright, I did everything you described but the "The system could not find the path specified" message popped up again. No such file called "AVGStatus.txt" was created. I made sure to disable Windows Defender and Avira, and I made sure the Wordwrap was unchecked, however Im not sure if I had any script blocking programs running (to my knowledge I dont own any). Here is the DOS window contents:

C:\Documents and Settings\Hoben\Desktop>sc stop WinDefend
[SC] ControlService FAILED 1062:

The service has not been started.

C:\Documents and Settings\Hoben\Desktop>sc stop Avg7Alrt
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc config Avg7Alrt start= disabled
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc delete Avg7Alrt
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc stop AvgTdi
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc config AvgTdi start= disabled
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc delete AvgTdi
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc stop Avg7UpdSvc
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc config Avg7UpdSvc start= disabled
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc delete Avg7UpdSvc
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc stop AVGEMS
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc config AVGEMS start= disabled
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>sc delete AVGEMS
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Documents and Settings\Hoben\Desktop>if exist "C:\Documents and Settings\Hobe
n\documents\AVGStatus.txt" del "C:\Documents and Settings\Hoben\documents\AVGSta
tus.txt"

C:\Documents and Settings\Hoben\Desktop>sc query Avg7Alrt 1>"C:\Documents and S
ettings\Hoben\documents\AVGStatus.txt"
The system cannot find the path specified.

C:\Documents and Settings\Hoben\Desktop>sc query AvgTdi 1>>"C:\Documents and Se
ttings\Hoben\documents\AVGStatus.txt"
The system cannot find the path specified.

C:\Documents and Settings\Hoben\Desktop>sc query Avg7UpdSvc 1>>"C:\Documents an
d Settings\Hoben\documents\AVGStatus.txt"
The system cannot find the path specified.

C:\Documents and Settings\Hoben\Desktop>sc query AVGEMS 1>>"C:\Documents and Se
ttings\Hoben\documents\AVGStatus.txt"
The system cannot find the path specified.

C:\Documents and Settings\Hoben\Desktop>notepad "C:\Documents and Settings\Hoben
\documents\AVGStatus.txt"

C:\Documents and Settings\Hoben\Desktop>Pause
Press any key to continue . . .

#20
negster22

Posted 18 May 2009 - 03:42 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

OK that's good! None of the AVG services exist any more so the error msg was generated because of the TXT file creation, not the service operations being performed.

Turn off Windows Defender and Avira Antivir Guard.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.
Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::

Driver::
avgtdi

File::
C:\Windows\system32\drivers\avgtdi.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\ijji\\ENGLISH\\u_gbound.exe"=-

NetSvcs::
orkzuztv

Folder::
c:\program files\Grisoft\AVG Free\
c:\program files\Viewpoint
c:\ijji\

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s)scheduled to run automatically upon reboot, such as chkdsk or any scanners. Then re-enable them after you get the new Combofix report.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again. Only if you have to, run the CFSript in safe mode.

Please post back the log that opens when it finishes.

Turn back on Windows Defender and Avira Antivir Guard.

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

Back to Resolved HijackThis Logs · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Malwarebytes

Malware.trace issue

#1
hobenenenen

Posted 13 May 2009 - 04:41 AM

#2
negster22

Posted 15 May 2009 - 03:15 AM

#3
hobenenenen

Posted 15 May 2009 - 06:48 AM

#4
negster22

Posted 15 May 2009 - 03:11 PM

#5
hobenenenen

Posted 15 May 2009 - 10:58 PM

#6
negster22

Posted 16 May 2009 - 12:33 AM

#7
hobenenenen

Posted 17 May 2009 - 02:58 AM

#8
negster22

Posted 17 May 2009 - 07:12 PM

#9
hobenenenen

Posted 17 May 2009 - 11:20 PM

Attached Files

#10
hobenenenen

Posted 17 May 2009 - 11:50 PM

#11
hobenenenen

Posted 18 May 2009 - 12:01 AM

#12
negster22

Posted 18 May 2009 - 12:37 AM

#13
hobenenenen

Posted 18 May 2009 - 01:00 AM

#14
hobenenenen

Posted 18 May 2009 - 01:26 AM

#15
negster22

Posted 18 May 2009 - 02:12 AM

#16
hobenenenen

Posted 18 May 2009 - 02:26 AM

#17
hobenenenen

Posted 18 May 2009 - 02:39 AM

#18
negster22

Posted 18 May 2009 - 03:15 AM

#19
hobenenenen

Posted 18 May 2009 - 03:27 AM

#20
negster22

Posted 18 May 2009 - 03:42 AM

1 user(s) are reading this topic

Products

About

Partners

Follow Us

Malwarebytes

Malware.trace issue

#1 hobenenenen Posted 13 May 2009 - 04:41 AM

#2 negster22 Posted 15 May 2009 - 03:15 AM

#3 hobenenenen Posted 15 May 2009 - 06:48 AM

#4 negster22 Posted 15 May 2009 - 03:11 PM

#5 hobenenenen Posted 15 May 2009 - 10:58 PM

#6 negster22 Posted 16 May 2009 - 12:33 AM

#7 hobenenenen Posted 17 May 2009 - 02:58 AM

#8 negster22 Posted 17 May 2009 - 07:12 PM

#9 hobenenenen Posted 17 May 2009 - 11:20 PM

Attached Files

#10 hobenenenen Posted 17 May 2009 - 11:50 PM

#11 hobenenenen Posted 18 May 2009 - 12:01 AM

#12 negster22 Posted 18 May 2009 - 12:37 AM

#13 hobenenenen Posted 18 May 2009 - 01:00 AM

#14 hobenenenen Posted 18 May 2009 - 01:26 AM

#15 negster22 Posted 18 May 2009 - 02:12 AM

#16 hobenenenen Posted 18 May 2009 - 02:26 AM

#17 hobenenenen Posted 18 May 2009 - 02:39 AM

#18 negster22 Posted 18 May 2009 - 03:15 AM

#19 hobenenenen Posted 18 May 2009 - 03:27 AM

#20 negster22 Posted 18 May 2009 - 03:42 AM

1 user(s) are reading this topic

Products

About

Partners

Follow Us

#1
hobenenenen

Posted 13 May 2009 - 04:41 AM

#2
negster22

Posted 15 May 2009 - 03:15 AM

#3
hobenenenen

Posted 15 May 2009 - 06:48 AM

#4
negster22

Posted 15 May 2009 - 03:11 PM

#5
hobenenenen

Posted 15 May 2009 - 10:58 PM

#6
negster22

Posted 16 May 2009 - 12:33 AM

#7
hobenenenen

Posted 17 May 2009 - 02:58 AM

#8
negster22

Posted 17 May 2009 - 07:12 PM

#9
hobenenenen

Posted 17 May 2009 - 11:20 PM

#10
hobenenenen

Posted 17 May 2009 - 11:50 PM

#11
hobenenenen

Posted 18 May 2009 - 12:01 AM

#12
negster22

Posted 18 May 2009 - 12:37 AM

#13
hobenenenen

Posted 18 May 2009 - 01:00 AM

#14
hobenenenen

Posted 18 May 2009 - 01:26 AM

#15
negster22

Posted 18 May 2009 - 02:12 AM

#16
hobenenenen

Posted 18 May 2009 - 02:26 AM

#17
hobenenenen

Posted 18 May 2009 - 02:39 AM

#18
negster22

Posted 18 May 2009 - 03:15 AM

#19
hobenenenen

Posted 18 May 2009 - 03:27 AM

#20
negster22

Posted 18 May 2009 - 03:42 AM